question

Naveen-6282 avatar image
0 Votes"
Naveen-6282 asked Naveen-6282 answered

Unable to create a resource.

I get below error.

What does it mean ?
and How can I get to know what Naming Policies are being enforced ?

Many thanks in advance.


{"code":"RequestDisallowedByPolicy","target":"mehtadp200","message":"Resource 'mehtadp200' was disallowed by policy. (Code: RequestDisallowedByPolicy)","additionalInfo":[{"type":"PolicyViolation","info":{"policyDefinitionDisplayName":"Git commit Hash tag on Azure resource","policySetDefinitionDisplayName":"Tagging for resource group","evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.Resources/subscriptions/resourceGroups","targetValue":["Microsoft.Resources/subscriptions/resourceGroups"],"operator":"In"},{"result":"False","expressionKind":"Value","expression":"[take(field('tags[git_commit_hash]'), 6)]","expressionValue":"","targetValue":"......","operator":"Match"}]},"policyDefinitionId":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyDefinitions/tagging-git-commit","policySetDefinitionId":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policySetDefinitions/tagging-resource-group","policyDefinitionReferenceId":"4845430965885124842","policySetDefinitionName":"tagging-resource-group","policyDefinitionName":"tagging-git-commit","policyDefinitionEffect":"Deny","policyAssignmentId":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyAssignments/00251279e9fc4d1ba73e04fa","policyAssignmentName":"00251279e9fc4d1ba73e04fa","policyAssignmentDisplayName":"Tagging for resource group","policyAssignmentScope":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398","policyAssignmentParameters":{}}},{"type":"PolicyViolation","info":{"policyDefinitionDisplayName":"Git url tag on Azure resource","policySetDefinitionDisplayName":"Tagging for resource group","evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.Resources/subscriptions/resourceGroups","targetValue":["Microsoft.Resources/subscriptions/resourceGroups"],"operator":"In"},{"result":"False","expressionKind":"Value","expression":"[take(field('tags[git_url]'), 8)]","expressionValue":"","targetValue":"https://","operator":"Match"},{"result":"False","expressionKind":"Value","expression":"[take(field('tags[git_url]'), 4)]","expressionValue":"","targetValue":"git@","operator":"Match"}]},"policyDefinitionId":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyDefinitions/tagging-git-url","policySetDefinitionId":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policySetDefinitions/tagging-resource-group","policyDefinitionReferenceId":"4312284359211068115","policySetDefinitionName":"tagging-resource-group","policyDefinitionName":"tagging-git-url","policyDefinitionEffect":"Deny","policyAssignmentId":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyAssignments/00251279e9fc4d1ba73e04fa","policyAssignmentName":"00251279e9fc4d1ba73e04fa","policyAssignmentDisplayName":"Tagging for resource group","policyAssignmentScope":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398","policyAssignmentParameters":{}}},{"type":"PolicyViolation","info":{"policyDefinitionDisplayName":"RG Naming Standards","evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.Resources/subscriptions/resourceGroups","targetValue":"Microsoft.Resources/subscriptions/resourceGroups","operator":"Equals"},{"result":"False","expressionKind":"Value","expression":"[first(skip(split(field('name'), '-'), 1))]","expressionValue":null,"targetValue":"UKS","operator":"MatchInsensitively"},{"result":"False","expressionKind":"Value","expression":"[first(skip(split(field('name'), '-'), 1))]","expressionValue":null,"targetValue":"UKW","operator":"MatchInsensitively"},{"result":"False","expressionKind":"Value","expression":"[first(skip(split(field('name'), '-'), 1))]","expressionValue":null,"targetValue":"EUN","operator":"MatchInsensitively"}]},"policyDefinitionId":"/providers/Microsoft.Management/managementGroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyDefinitions/RG Naming Standards","policySetDefinitionId":"/providers/Microsoft.Management/managementGroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policySetDefinitions/Naming Standards","policyDefinitionReferenceId":"7004565952790260503","policySetDefinitionName":"Naming Standards","policyDefinitionName":"RG Naming Standards","policyDefinitionEffect":"Deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyAssignments/Naming Policies (Global)","policyAssignmentName":"Naming Policies (Global)","policyAssignmentDisplayName":"Naming Policies (Global)","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/3ded2960-214a-46ff-8cf4-611f125e2398","policyAssignmentParameters":{}}}],"policyDetails":[{"isInitiative":true,"assignmentId":"/providers/Microsoft.Management/managementgroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyAssignments/00251279e9fc4d1ba73e04fa","assignmentName":"Tagging for resource group","auxDefinitions":[{"definitionName":"Git commit Hash tag on Azure resource","nonComplianceMessage":null},{"definitionName":"Git url tag on Azure resource","nonComplianceMessage":null}],"viewDetailsUri":"https://portal.azure.com#blade/Microsoft_Azure_Policy/EditAssignmentBladeV2/assignmentId/%2Fproviders%2FMicrosoft.Management%2Fmanagementgroups%2F3ded2960-214a-46ff-8cf4-611f125e2398%2Fproviders%2FMicrosoft.Authorization%2FpolicyAssignments%2F00251279e9fc4d1ba73e04fa"},{"isInitiative":true,"assignmentId":"/providers/Microsoft.Management/managementGroups/3ded2960-214a-46ff-8cf4-611f125e2398/providers/Microsoft.Authorization/policyAssignments/Naming Policies (Global)","assignmentName":"Naming Policies (Global)","auxDefinitions":[{"definitionName":"RG Naming Standards","nonComplianceMessage":null}],"viewDetailsUri":"https://portal.azure.com#blade/Microsoft_Azure_Policy/EditAssignmentBladeV2/assignmentId/%2Fproviders%2FMicrosoft.Management%2FmanagementGroups%2F3ded2960-214a-46ff-8cf4-611f125e2398%2Fproviders%2FMicrosoft.Authorization%2FpolicyAssignments%2FNaming%20Policies%20(Global)"}]}

azure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VaibhavChaudhari avatar image
1 Vote"
VaibhavChaudhari answered VaibhavChaudhari commented

Looks like there are some policies (like following naming standard for new resource, applying tags etc.) defined which are restricting you to create a resource..

Open Resource Group > Policies (or Subscription > Policies) - to check the policy details

113829-image.png




Please don't forget to Accept Answer and Up-vote if the response helped -- Vaibhav


image.png (14.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do a quick check on how other Resource groups or resources are created in subscription and maybe follow the same naming convention.


Please don't forget to Accept Answer and Up-vote if the response helped -- Vaibhav

0 Votes 0 ·

I wish I could. I don't have to access to any of the details. I have access to my own sandbox only.

0 Votes 0 ·
Naveen-6282 avatar image
0 Votes"
Naveen-6282 answered

Reached out to admin and issue resolved.

Thanks for all the help.

Regards.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Naveen-6282 avatar image
0 Votes"
Naveen-6282 answered jloudon commented

thanks.

the policy is below.
any help reverse engineering it, please.

I have tried "m-uks-r01-dp200-RG-learn" but no luck.


"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"not": {
"value": "[first(field('name'))]",
"matchInsensitively": "M"
}
},
{
"not": {
"anyOf": [
{
"value": "[first(skip(split(field('name'), '-'), 1))]",
"matchInsensitively": "UKS"
},
{
"value": "[first(skip(split(field('name'), '-'), 1))]",
"matchInsensitively": "UKW"
},
{
"value": "[first(skip(split(field('name'), '-'), 1))]",
"matchInsensitively": "EUN"
}
]
}
},
{
"not": {
"anyOf": [
{
"value": "[first(skip(split(field('name'), '-'), 2))]",
"matchInsensitively": "L##"
},
{
"value": "[first(skip(split(field('name'), '-'), 2))]",
"matchInsensitively": "R##"
},
{
"value": "[first(skip(split(field('name'), '-'), 2))]",
"matchInsensitively": "T##"
}
]
}
},
{
"not": {
"allOf": [
{
"value": "[if(equals(length(split(field('name'), '-')), 6), length(first(skip(split(field('name'), '-'), 3))), 100)]",
"lessOrEquals": 8
},
{
"value": "[if(greaterOrEquals(length(split(field('name'), '-')), 6), length(first(skip(split(field('name'), '-'), 3))), 0)]",
"greaterOrEquals": 1
},
{
"value": "[first(skip(split(field('name'), '-'), 4))]",
"equals": "RG"
},
{
"value": "[if(greaterOrEquals(length(split(field('name'), '-')), 6), length(first(skip(split(field('name'), '-'), 5))), 100)]",
"lessOrEquals": 8
},
{
"value": "[if(greaterOrEquals(length(split(field('name'), '-')), 6), length(first(skip(split(field('name'), '-'), 5))), 0)]",
"greaterOrEquals": 1
}
]
}
}
]
}
]
},
"then": {
"effect": "Deny"
}

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ugh... I feel your pain... this is exactly why Azure Policy admins need to start including custom deny messages to show "valid" naming examples for resource groups when the deny effect occurs. It would certainly save you blood, sweat, and tears in deciphering the policy's JSON to figure out what the naming convention is /rantover :)

Anyways, have you tried a shorter RG name like:

m-uks-r01-RG

Jesse

1 Vote 1 ·